All of a sudden, not upgrades or anything - our LSWS has started becoming unavailable for periods of exactly 300 seconds each time.

The server is located behind a reverse proxy traffic manager (Riverbed Stingray), which means that the 'source IP' that the LSWS sees is that of the traffic manager, not of the actual user.

So my hunch is that someone is doing something bad to the LSWS service, the Stingray passes it down to the LSWS, and the LSWS somehow blocks this IP - as this is the Stingrays IP - it naturally blocks everyone coming from the Stingray...

My first question - how can I tell / what log could I check to see if LSWS has invoked some sort of 300 second ban? This is pretty much a default setup - I didn't think such a DoS feature was enabled as default?

My second question - is it possible to pass the X-FORWARDED-FOR header through to LSWS and get it to read this as the source IP rather than the source IP of our reverse proxy?

yes, looks fine but should use comma instead of space to separate IPs:
"Syntax: Comma delimited list of IP addresses or sub-networks. A trailing "T" can be used to indicate a trusted IP or sub-network, such as 192.168.1.*T."